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ON  PROGRAM  SYNTHESIS  AND  PROGRAM  VERIFICATION 


Zohar  Manna  Richard.  J,  Waldinger 

Computer  Science  Dept.  and  Artificial  Intelligence  Group 
Stanford  University  Stanford  Research  Institute 


Abstract 

Certain  similarities  between  program  verification  and  program  synthesis  sxe 
pointed  out.  The  analogy  is  illustrated  using  a  ’'bubble-sort"  program. 


Recent  work  has  shewn  that  automatic  deductive 
methods  may  be  applied  to  the  problems  of  program 
verification  [1]  and  program  synthesis  [2].  As  it 
turns  out,  these  techniques  are  closely  related. 

We  demonstrate  this  relation  using  a  particular  , 
program. 

VERIFICATION 


Consider  the  following  program  for  "bubble- sorting" 
an  array  a  of  n+1  real  numbers  a[0],  ...,a[n]  . 
(Ignore  for  a  moment  the  attached  assertions.) 


1 


We  wish  to  prove  that  this  program  is  correct,  and 
that  it  always  terminates.  To  say  that  this 
program  is  correct  is  to  cay  that  when  it  halts, 

(i)  the  elements  of  the  array  a  are  the  same  as 
those  of  the  initial  array,  but  (ii)  that  they 
are  in  increasing  order.  It  is  clear  that  (i) 
holds,  since  exchange ( a,  i,  j)  is  the  only  opera¬ 
tion  applied  to  a  ,  and  exchange  leaves  the 
contents  of  the  array  a  unchanged  except  for 
order.  Therefore  we  shall  concentrate  on  the 
establishment  of  (ii) .  Later  we  shall  show  that 
the  program  terminates. 

Following  Floyd  [1],  we  will  attach  the  assertion 
0rdered(a,0,n)  to  the  exit  y  of  the  program. 

The  predicate  Ordered(a, k,l)  is  taken  to  mean 
that  the  elements  aLk], a[k+l], . . .,a[2 ]  are  in 
increasing  order.  (This  is  considered  to  be 
vacuously  true  if  k  >  l  .)  Floyd’s  method 
requires  that  we  affix  assertions  to  certain  inter¬ 
mediate  points  in  the  program,  at  least  one  point 
within  each  loop.  These  assertions  describe  the 
situation  when  control  passes  through  those  points . 
For  example,  to  point  a  we  attach  the  assertion 

Ordered( a,  i, n)  A  [a[0], . . .,a[i]}<{a[i+l], . . ,,a[n]}  . 

The  expression  {a[k), . . .,a[f ] }  represents  the 
set  {a[m]  |  k  <  m  <  l }  (note  that  this  set  is 
empty  if  k  >  i~)  .  Furthermore,  for  any  two  sets 
of  real  numbers  S  and  T  ,  S  <  T  means  that 
every  element  of  S  is  less  than  or  equal  to  any 
element  of  T  (which  is  vacuously  true  if  either 
S  or  T  is  empty) . 

In  order  to  demonstrate  the  correctness  of  the 
program,  we  have  simply  to  prove  that  when  control 
passes  through  one  of  the  labeled  points,  the 
values  currently  assigned  to  the  variables  satisfy 
the  corresponding  assertion,  assuming  that  the 
assertion  corresponding  to  the  previous  point  was 
satisfied.  This  implies  that  if  control  reaches 
the  exit  the  corresponding  assertion  will  be 
satisfied,  establishing  the  correctness  of  the 
program. 

We  have  not  yet  discussed  the  termination  of  the 
program.  We  do  this  using  the  notion  of  the 
"well-ordered”  set  (1].  For  this  program  we 
consider  the  set  of  pairs  of  non-negative  integers 
well-ordered  (lexicographically)  as  follows 

^  (i/^*  ^2) 

if  and  only  if 

either  i^  <  ig 

[  or  =  i2  and  01  <  . 

There  are  no  infinite  sequences  of  pairs  of  non¬ 
negative  integers  that  are  strictly  decreasing 
under  the  above  order.  In  our  bubble-sort  program, 
the  quantities  i  and  i- j  are  non-negative 
whenever  control  passes  through  point  f3  . 
-Furthermore,  consider  the  sequence  of  pairs  of 
non-negative  integers  constructed  as  follows: 
whenever  control  passes  through  point  p  the 


current  value  of  (i,i-j)  is  added  to  the 
sequence.  Then  it  can  be  shown  that  this 
sequence  is  strictly  decreasing  under  the 
lexicographic  order.  Since  this  sequence  must 
be  finite,  control  can  only  pass  through  p 
finitely  often;  hence  the  program  must  terminate. 

SYNTHESIS 

To  provide  a  basis  for  comparison,  let  us 
illustrate  a  synthesis  process  to  construct  a 
bubble- sort  program  automatically.  We  are  given 
the  inpat-output  relation  denoted  by 

a*  a  A  Ordered ( a*,  0,n)  , 

where  a  is  the  input  vector,  a*  is  the  output 
vector,  and  a*  «s  a  means  that  a  and  a*  are 
the  same  vectors  up  to  reordering.  In  general, 
if  we  wish  to  construct  a  program  satisfying  an 
input-output  relation  R(x,y)  ,  with  input  x 
and  output  y  ,  we  can  ask  the  synthesis  system 
to  find  a  constructive  proof  of  the  theorem 

(Vx)(3y)R(x,y)  . 

It  then  extracts  a  program  that  satisfies  the 
above  relation,  and  is  thereby  guaranteed  to 
terminate  and  be  correct. 

In  this  case,  the  theorem  to  be  proved  is 

(Vn) (Va) (3a*) [a*ss  a  A  Ordered(a*,Q,n) ]  . 

If  the  system  is  given  this  information  alone,  it 
will  produce  a  sort  program,  but  we  have  no  way 
of  controlling  the  sorting  method  it  will.  use. 
Therefore,  in  order  to  direct  the  synthesis 
procedure  to  yield  a  bubble-sort  program,  and 
also  to  facilitate  the  search  for  a  proof,  we 
give  the  theorem-prover  some  additional  informa¬ 
tion:  it  should  use  "going-down"  induction  [2] 
with  the  hypothesis 

(3a*) [ (a*[0], . . .,a*[i]}<{a*[i+l], . . .,a*[n]3 
A  a*  ea  a  A  Ordered(a*,  i,n)  ]  . 

Then  the  theorem-prover  proves  two  lemmas 
I.  (initial  step) 

(3i)(3a*)[ {a*[0],  ...,a*[i])<{a*[i+l], ...,a*[n]} 

A  a*  «  a  A  Ordered(a*,i,n) ]  . 

U.  (Inductive  step) 

(Vi)[i  /  0 

A  (3a*) [ {a*[0], . ..,a*[i]}<(a*[i+l], .. .,a*[n]} 
A  a*  a  A  Ordered  ( a*,  i,n) )  ] 
z>  (3a*) [ [a*[0], ...,a*[i-l)}<[a*[i], . . ,,a*[n]} 

A  a*  »  a  A  Ordered (a*, i-l,n) ]  . 

If  the  system  succeeds  in  proving  both  these 
lemmas,  it  can  conclude 

(3a*) [ (a*( 0 ] }<£a* [ 1 ] , . . .,a*[n]} 

A  a*  «  a  a  Ordered(a*,Q,n)  ] 

.which  implies  the  desired  result.  __  . 
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The  proof  of  Lemma  I  is  trivial,  taking  i  to  be 
n  and  a*  to  be  a  . 

In  order  to  prove  Lemma  II,  the  system  finds  it 
suffices  to  show 

(a*l 0 a*[ i-1 ] }<{a*[ i ] } 

for  any  a*  satisfying  the  antecedent  of  the 
implication.  Failing  to  establish  this  directly, 
it  applies  induction  again;  this  time  it  uses 
"going-up"  induction  with  the  hypothesis 

(3a*)[ [a*[0], . . . , a*[ i-1] }<{a*[ i ], ...,a*[n]] 

A  a*  a  a  Ordered(a*, i-l,n) 

A  (a*[0], . . •, a*[ j-1 J}<{a*[j ]] j 

where  j  ,  j  <  i  ,  is  the  induction  variable. 

In  applying  the  principle  we  derive  two  more  lemmas 
to  be  proved:  the  proof  of  the  first  is  trivial, 
but  the  proof  of  the  second  requires  case  analysis 
and  gives  rise  to  the  program  segment  illustrated 
in  Figure  2. 


Then  from  the  induction  principles  used,  and  the  above 
segment,  the  synthesizer  will  construct  the  program 
illustrated  in  Figure  1. 


■CONCLUSION 

The  para! lei  between  the  analysis  and  synthesis 
methods  is  striking.  The  well-ordering  used  in 
proving  termination  corresponds  precisely  to  the 
induction  principles  used  in  the  synthesis  proof. 
Furthermore,  the  two  assertions  associated  with 
arcs  a  and  p  respectively  in  the  correctness 
proof  are  essentially  the  same  as  the  two  induc¬ 
tion  hypotheses  used  in  the  synthesis  proof.  In 
fact,  if  the  proofs  are  examined  in  detail,  one 
finds  that  the  same  axioms  and  rules  of  inference 
are  used  in  each  proof.  However,  the  synthesis 
proof  requires  much  more  ingenuity  from  the 
theorem-prover,  as  is  to  be  expected. 
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